Crate compact_jwt

source · []
Expand description

Json Web Tokens (JWT) are a popular method for creating signed transparent tokens that can be verified by clients and servers. They are enshrined in standards like OpenID Connect which causes them to be a widespread and required component of many modern web authentication system.

This is a minimal implementation of JWTs and Oidc Tokens that aims for auditability and correctness.

Examples

use std::str::FromStr;
use std::convert::TryFrom;
use std::time::SystemTime;
use url::Url;
use compact_jwt::{JwsValidator, JwsSigner, OidcToken, OidcSubject, OidcUnverified};

let oidc = OidcToken {
        iss: Url::parse("https://oidc.example.com").unwrap(),
        sub: OidcSubject::S("UniqueId".to_string()),
    };

let jws_signer = JwsSigner::generate_es256()
    .unwrap();

let oidc_signed = oidc.sign(&jws_signer)
    .unwrap();

// Get the signed formatted token string
let token_str = oidc_signed.to_string();

// Build a validator from the public key of the signer. In a client scenario
// you would get this public jwk from the oidc authorisation server.
let public_jwk = jws_signer.public_key_as_jwk(Some("my_key_id"))
    .unwrap();
let jws_validator = JwsValidator::try_from(&public_jwk)
    .unwrap();

// Assuming we have the token_str, start to validate it.
let oidc_unverified = OidcUnverified::from_str(&token_str)
    .unwrap();

let curtime = SystemTime::now()
    .duration_since(SystemTime::UNIX_EPOCH)
    .expect("Failed to retrieve current time")
    .as_secs() as i64;

let oidc_validated = oidc_unverified
    .validate(&jws_validator, curtime)
    .unwrap();

// Prove we got back the same content.
assert!(oidc_validated == oidc);

Re-exports

pub use crate::crypto::JwaAlg;
pub use crate::crypto::Jwk;
pub use crate::crypto::JwkKeySet;
pub use crate::crypto::JwkUse;
pub use crate::crypto::JwsSigner;
pub use crate::crypto::JwsValidator;
pub use crate::error::JwtError;
pub use crate::jws::Jws;
pub use crate::jws::JwsSigned;
pub use crate::jws::JwsUnverified;
pub use crate::jwt::Jwt;
pub use crate::jwt::JwtSigned;
pub use crate::jwt::JwtUnverified;
pub use crate::oidc::OidcClaims;
pub use crate::oidc::OidcSigned;
pub use crate::oidc::OidcSubject;
pub use crate::oidc::OidcToken;
pub use crate::oidc::OidcUnverified;

Modules

base64_data

Base64 data that encodes to Base64 UrlSafe, but can decode from multiple base64 implementations to account for various clients and libraries. Compatible with serde.

crypto

JWS Cryptographic Operations

error

Error types.

jws

Jws Implementation

jwt

Jwt implementation

oidc

Oidc token implementation